More than 230 malicious packages for the personal AI assistant OpenClaw (formerly known as Moltbot and ClawdBot) have been published in less than a week on the tool’s official registry and on GitHub.

Called skills, the packages pretend to be legitimate tools to deliver malware that steals sensitive data, like API keys, wallet private keys, SSH credentials, and browser passwords.

Originally named ClawdBot and switching to Moltbot and now OpenClaw in under a month, the project is a viral open-source AI assistant designed to run locally, with persistent memory and integrate with various resources (chat, email, local file system). Unless configured properly, the assistant introduces security risks.

Skills are readily deployable plug-ins for OpenClaw that extend its functionality or provide specific instructions for specialized activities.

However, security researcher Jamieson O’Reilly recently highlighted that there are hundreds of misconfigured OpenClaw admin interfaces exposed on the public web.

Between January 27th and February 1st, two sets collectively counting more than 230 malicious skills were published to ClawHub (the assistant's official registry) and GitHub.

The skills impersonate legitimate utilities such as cryptocurrency trading automation, financial utilities, and social media or content services, but in the background, they injected information-stealing malware payloads onto users’ systems.

A report from community security portal OpenSourceMalware says that an ongoing large-scale campaign is using skills to spread info-stealing malware to OpenClaw users.

Most of those are near-identical clones with randomized names, while some have reached popular status, downloaded thousands of times.

Each malicious skill contains extensive documentation to appear legitimate, including several highlighted mentions of a separate tool named ‘AuthTool,’ which is supposedly a critical requirement for the skill to run correctly.

The infection occurs when the victim follows the instructions in the documentation, similar to a ClickFix-type of attack.

In reality, though, AuthTool is a malware-delivery mechanism. On macOS, it appears as a base64-encoded shell command that downloads a payload from an external address. On Windows, it downloads and runs a password-protected ZIP archive.

The malware dropped on macOS systems is identified as a variant of NovaStealer that can bypass Gatekeeper by using the ‘xattr -c’ command to remove quarantine attributes and request broad file system read access and communication with system services.

The stealer targets cryptocurrency exchange API keys, wallet files and seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, cloud credentials, Git credentials, and ‘.env’ files.

A separate report from Koi Security counted 341 malicious skills on ClawHub after analysts scanned the entire repository of 2,857, attributing them to a single campaign.

Apart from the tools highlighted in the OpenSourceMalware report, Koi also found 29 typosquats for the ClawHub name, targeting common mistypes.

To help users stay safe, Koi Security also published a free online scanner that lets people paste a skill's URL to get a safety report.

The creator of OpenClaw, Peter Steinberger, responded to OpenSourceMalware on X, admitting inability to review the massive number of skill submissions the platform receives right now, so users are responsible for double-checking their skills’ safety before deployment.

Users should be aware of OpenClaw's deep access to the system. A multi-layered security approach is recommended, which includes isolating the AI assistant in a virtual machine, giving it restricted permissions, and securing remote access to it (e.g., port restriction, blocking traffic).